? logon 
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*** It is now 2008/11/03 17:31:12 *** 
(Dialog time 2008/11/03 17:31:12) 

HILIGHT set on as " 

>>>100 is not in the range between 1 and 50, original value 30 is used. 
IGOR705 is set ON as an alias for 

2, 9, 15, 16, 20, 35, 65, 77, 99, 148, 16 0, 23 3, 2 56, 275, 347, 348, 349, 474, 475, 476, 583, 

10, 613, 62 1,624, 63 4, 636, 810, 813 

IGORMEDIC is set ON as an alias for 

5,34, 42, 43, 73, 74, 129, 13 0, 149, 155, 442, 444, 455 

IGORINSUR is set ON as an alias for 169,625,637 

IGORBANK is set ON as an alias for 13 9,267,268,625,626 

IGORTRANS is set ON as an alias for 6,63,80,108,637 

IGORSHOPCOUPON is set ON as an alias for 47 , 5 70 , 635 , PAPERSMJ, PAPERSEU 
IGORINVEN is set ON as an alias for 6,7,8,14,34,94,434 
IGORFUNDTRANS is set ON as an alias for 6 08 



? b igor705 



>» 77 does not exist 

>» 233 does not exist 

>» 476 does not exist 

>>>3 of the specified files are not available 

03nov08 17:31:26 User268082 Session D115.1 
$0.00 0.242 DialUnits File415 
$0.00 Estimated cost File415 
$0.05 INTERNET 

$0.05 Estimated cost this search 

$0.05 Estimated total session cost 0.242 DialUnits 



SYSTEM: OS - DIALOG OneSearch 

File 2:INSPEC 1 89 8-2 0 08 /Oct Wl 

(c) 2008 Institution of Electrical Engineers 
File 9:Business & Industry(R) Jul/ 1 99 4-2 008 /Oct 31 
(c) 2008 Gale/Cengage 
*File 9: UD names were adjusted to reflect load date. 
All data is present. 

File 15:ABI/Inform(R) 19 71-2 008/Nov 03 

(c) 2008 ProQuest Inf o&Learning 
File 16:Gale Group PROMT (R) 1 9 9 0-2 0 0 8/ Oct 23 
(c) 2008 Gale/Cengage 
*File 16: Because of updating irregularities, the banner and the 
update (UD=) may vary. 

File 20:Dialog Global Reporter 1 99 7-20 08/Nov 03 

(c) 2008 Dialog 
File 35:Dissertation Abs Online 186 1-2 008/Oct 

(c) 2008 ProQuest Inf o&Learning 
File 65:Inside Conferences 1993-2008/Nov 03 

(c) 2008 BLDSC all rts . reserv. 
File 99:Wilson Appl. Sci & Tech Abs 19 83-2 00 8/Aug 

(c) 2008 The HW Wilson Co. 
File 148:Gale Group Trade & Industry DB 1 9 76-2008/Oct 30 
(c) 2008 Gale/Cengage 
*File 148: The CURRENT feature is not working in File 148. 
See HELP NEWS 14 8. 

File 160:Gale Group PROMT (R) 1972-1989 
(c) 1999 The Gale Group 
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File 256:TecInfoSource 82-2008/Jan 

(c) 2008 Info. Sources Inc 
File 275:Gale Group Computer DB(TM) 1983-2008/Oct 22 

(c) 2008 Gale/Cengage 
File 347:JAPIO Dec 19 76-2 00 7/Dec ( Updated 080328) 

(c) 2008 JPO & JAPIO 
File 348:EUROPEAN PATENTS 1978-200844 

(c) 2008 European Patent Office 
File 349:PCT FULLTEXT 1 9 7 9-2 0 08 /UB=2 0 08 1 03 0 | UT=2 0 08 1 023 

(c) 2008 WIPO/Thomson 
File 474:New York Times Abs 1969-2008/Nov 01 

(c) 2008 The New York Times 
File 475: Wall Street Journal Abs 19 73-2 008/Nov 01 

(c) 2008 The New York Times 
File 583:Gale Group Globalbase ( TM) 1986-2002/Dec 13 

(c) 2002 Gale/Cengage 
*File 583: This file is no longer updating as of 12-13-2002. 
File 610:Business Wire 1999-2008/Nov 03 

(c) 2008 Business Wire. 
*File 610: File 610 now contains data from 3/99 forward. 
Archive data (1986-2/99) is available in File 810. 
File 613 :PR Newswire 1999-2008/Nov 03 

(c) 2008 PR Newswire Association Inc 
*File 613: File 613 now contains data from 5/99 forward. 
Archive data (1987-4/99) is available in File 813. 

File 621:Gale Group New Prod . Annou . ( R) 1985-2008/Oct 09 

(c) 2008 Gale/Cengage 
File 624:McGraw-Hill Publications 1985-2008/Nov 03 

(c) 2008 McGraw-Hill Co. Inc 
File 634: San Jose Mercury Jun 1985-2008/Oct 31 

(c) 2008 San Jose Mercury News 
File 636:Gale Group Newsletter DB (TM) 1987-2008/Oct 23 

(c) 2008 Gale/Cengage 
File 810:Business Wire 1986-1999/Feb 28 

(c) 1999 Business Wire 
File 813 :PR Newswire 1987-1999/Apr 30 

(c) 1999 PR Newswire Association Inc 

Set Items Description 



? s (((historical or history or profile ) (w) (usage or load)) or ((usage 
or load ) (5n) report???) or (usage or load)) and (energy or power or 
electricity or utility) 



Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 



Processing 
Processing 
Processing 
Processing 
Processing 
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Processing 
Processing 
Processing 
Processing 
Processed 
Processing 
Processing 
Processed 20 of 
Processing 
Completed proces: 
3853917 
5532641 
3081765 
1719404 
2092137 
2464 
1719404 
2092137 
33854806 
62460 
1719404 
2092137 
10087598 
13086264 
1947585 
2348382 
SI 1298709 



10 of 26 files 



all file 



HISTORICAL 

HISTORY 

PROFILE 

USAGE 

LOAD 

((HISTORICAL OR HISTORY) OR PROFILE) (W) (USAGE OR LOAD) 
USAGE 
LOAD 

REPORT??? 

(USAGE OR LOAD) ( 5N) REPORT ?? ? 
USAGE 
LOAD 
ENERGY 
POWER 

ELECTRICITY 
UTILITY 

(((HISTORICAL OR HISTORY OR PROFILE ) (W) (USAGE OR 
LOAD)) OR ((USAGE OR LOAD ) (5N) REPORT???) OR (USAGE OR 
LOAD) ) AND (ENERGY OR POWER OR ELECTRICITY OR UTILITY) 



? s (exchange or auction or market or marketplace) 



Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 



Processing 
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Processing 

Processed 10 of 26 files ... 
Processing 

Processed 20 of 26 files . . . 
Completed processing all files 

13185140 EXCHANGE 

884574 AUCTION 

31047205 MARKET 

268553 7 MARKETPLACE 

S238526420 (EXCHANGE OR AUCTION OR MARKET OR MARKETPLACE) 



? s (report??? (w) (load or usage or demand)) and (energy or power or 
electricity or utility) 



Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 



Processing 
Processing 
Processing 
Processed 
Processing 
Processing 
Processed 20 
Completed pro- 

33854806 
2092137 
1719404 
8705030 
5479 
10087598 
13086264 
1947585 
2348382 
S3 1623 



10 of 26 files 



26 files . . . 
sing all files 
REPORT??? 
LOAD 
USAGE 
DEMAND 

REPORT??? (W) ((LOAD OR USAGE) OR DEMAND) 
ENERGY 
POWER 

ELECTRICITY 
UTILITY 

(REPORT??? (W) (LOAD OR USAGE OR DEMAND)) AND (ENERGY OR 
POWER OR ELECTRICITY OR UTILITY) 



? s bidding or s2 



Processing 
Processing 
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Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 

Processing 
Processing 

Processed 10 of 26 files . . . 
>»Disk space full 
>>>Workspace is full 



?ds 



Set Items Description 

51 1298709 (((HISTORICAL OR HISTORY OR PROFILE ) (W) (USAGE OR LOAD)) 

OR ((USAGE OR LOAD ) (5N) REPORT???) OR (USAGE OR LOAD)) AND 
(ENERGY OR POWER OR ELECTRICITY OR UTILITY) 

52 38526420 (EXCHANGE OR AUCTION OR MARKET OR MARKETPLACE) 

53 1623 (REPORT??? (W) (LOAD OR USAGE OR DEMAND)) AND (ENERGY OR 

POWER OR ELECTRICITY OR UTILITY) 



? s sl and s2 



Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
Processing 
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Processing 

Processed 10 of 26 files . 

Processing 

Processing 

Processed 20 of 26 files . 

Processing 

Processing 

Completed processing all fil 
1298709 SI 
38526420 S2 
S4 503662 SI AND S2 



? s s4 and s3 



503662 
1623 
S5 566 



S4 
S3 

S4 AND S3 



? s s5 and ((providing or report???) (w) (usage or load) (w) (bidders or 
participants)) 



Processing 
Processing 
Processing 
Processing 
Processing 



Processing 

Processing 
Processing 

Processed 10 of 26 files ... 

Processed 20 of 26 files ... 
Completed processing all files 
566 S5 
10193988 PROVIDING 
33854806 REPORT??? 
1719404 USAGE 
2092137 LOAD 

334148 BIDDERS 
2270215 PARTICIPANTS 

1 (PROVIDING OR REPORT???) (W) (USAGE OR LOAD) (W) (BIDDERS OR 
PARTICIPANTS) 

S6 1 S5 AND ((PROVIDING OR REPORT???) (W) (USAGE OR LOAD) (W) 

(BIDDERS OR PARTICIPANTS) ) 



? t s6/3,k/l 
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Dialog eLink: Ord er File History 

6/3K/1 (Item 1 from file: 348) 

DIALOG(R)File 348: EUROPEAN PATENTS 

(c) 2008 European Patent Office. All rights reserved. 

02038564 

Secure transaction management 

Sicheres Transaktionsmanagement 
Gestion de transactions securisees 

Patent Assignee: 

• Intertrust Technologies Corp.; (2434323) 
955 Stewart Drive; Sunnyvale, CA 94085; (US) 
(Applicant designated States: all) 

Inventor: 

• Ginter, Karl L. 

10404 43rd Avenue; Beltsville, MD 20705; (US) 

• Shear, Victor H. 

5203 Battery Lane; Bethesda, MD 20814; (US) 

• Spahn, Francis J. 

2410 Edwards Avenue; El Cerrito, CA 94530; (US) 

• Van Wie, David M. 

51430 Williamette Street 6; Eugene, OR 97401; (US) 

Legal Representative: 

• Beresford, Keith Denis Lewis (28273) 

BERESFORD & Co. 16 High Holborn; London WC1V 6BX; (GB) 





Country 


Number 


Kind 


Date 




|Patent 


EP 


1643340 


A2 


20060405 


(Basic) 




EP 


1643340 


A3 


20060531 





ApplicationEP2005077923 1 99602 1 3 



PrioritiesUS3 88 1 07 1 99502 1 3 
Designated States: 

AT; BE; CH; DE; DK; ES; FR; GB; GR; IE; 
IT; LI; LU; MC; NL; PT; SE; 

Related Parent Numbers: Patent (Application) :EP 861461 (EP 96922371) 



7 



Save-2008-11-03_145612 



IPC 


Level 


Value 


Position 


Status 


Version 


Action 


Source 


Office 


G06F-0001/00 


A 


I 


F 


B 


20060101 


20060213 


H 


EP 



Abstract Word Count: 147 
NOTE: 5b 

NOTE: Figure number on first page: 5b 
[Type | Pub. Date | Kind [Text | 



Publication: English 
Procedural: English 
Application: English 



Available Text 


Language 


Update 


Word Count 


CLAIMS A 


(English) 


200614 


2171 


SPEC A 


(English) 


200614 


193720 


Total Word Count (Document A) 195924 


Total Word Count (Document B) 0 


Total Word Count (All Documents) 195924 



Specification: ...as metering, budgeting, decrypting and/or 
fingerprinting, may as relates to a certain user content usage activity, 
be performed in a user's local VDE installation secure subsystem, or said 

processes For example, a local VDE installation may perform 

decryption and save any, or all of, usage metering information related to 
content and/or electronic appliance usage at such user installation could 

be performed at the server employing secure (e.g., encrypted also 

be used for near real time, frequent, or more periodic secure receipt of 
content usage information from said user installation, with, for example, 

metered information being maintained only temporarily at least in 

part, opaque. 

VDE supports a general purpose foundation for secure transaction 
management, including usage control, auditing, reporting, and/or payment. 
This general purpose foundation is called "VDE Functions" ("VDEFs"). VDE 
also supports a collection of "atomic" application elements (e.g., load 
modules) that can be selectively aggregated together to form various VDEF 

capabilities called control methods an electronic appliance 

includes VDEF capabilities, it is called a "Rights Operating System" 
(ROS). VDEF load modules, associated data, and methods form a body of 

information that for the purposes of participant as part of such a 

contribution. In the most general example, a generally certified load 
module (certified for a given VDE arrangement and/or content class) may 

be used with are allowed, can independently and securely add, 

delete, and/or otherwise modify the specification of load modules and 
methods, as well as add, delete or otherwise modify related information. 



8 
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Normally the a content distribution application, to be used by such 

installation for securely controlling VDE content usage, auditing, 
reporting and/or payment. Similarly, a specific VDE participant may enter 

into a VDE user agreement a given transaction to occur are met. 

This includes the secure execution of any required load modules and the 
availability of any required, associated data. For example, required load 
modules and data (e.g. in the form of a method) might specify that 

sufficient authorized source must be confirmed as available. It 

might further require certain one or more load modules execute as 
processes at an appropriate time to ensure that such credit will be... 
...for a general purpose, sufficiently secure distributed electronic 
commerce solution. VDE enables an electronic commerce marketplace that 
supports divergent, competitive business partnerships, agreements, and 

evolving overall business models. For example, VDE content 

container and associating content control information with said content), 
content and/or electronic appliance usage auditing, content usage 
analysis, as well as content usage control; and b) said hardware having 
been designed to securely handle processing load module control 
activities, wherein said control processing activities may involve a 

sequence of required control acquire or otherwise use a portion of 

such product or section. VDE supports metering and usage control over a 
variety of increments (including "atomic" increments, and combinations of 

different increment types store at a user's site potentially highly 

detailed information reflective of a user's usage of a variety of 

different content segment types and employing both inexpensive "exposed" 

host mass trusted chain of handling capabilities for pathways of 

distributed electronic information and/or for content usage related 
information. Such chains may extend, for example, from a content creator, 
to a distributor, a redistributor, a client user, and then may provide a 
pathway for securely reporting the same and/or differing usage 
information to one or more auditors, such as to one or more independent 

clearinghouses and and/or different pathways employed for certain 

content handling, and related content control information and reporting 
information handling, may also be employed as one or more pathways for 

electronic payment handling is characterized in the present 

invention as administrative content) for electronic content and/or 
appliance usage. These pathways are used for conveyance of all or 

portions of content, and/or content to disseminate commercially 

distributed property content, content control information, payment 
administrative content, and/or associated usage reporting information. 
Control information specified by content providers may also specify which 

specific parties must or allow, in a practical manner, the 

retention and ready recall of information related to previous usage 
activities and related patterns. This flexibility is adaptable to a wide 

variety of billing and interval of time.Use of bitmap meters 

(including "regular" and "wide" bitmap meters) to record usage and/or 
purchase of information, in conjunction with other elements of the 
preferred embodiment of the present invention, uniquely supports 
efficient maintenance of usage history for: (a) rental, (b) flat fee 
licensing or purchase, (c) licensing or purchase discounts based upon 
historical usage variables, and (d) reporting to users in a manner 

9 
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enabling users to determine whether a certain item was acquired... with a 
remote VDE authority (until, for example, budgets are exhausted or a time 
content usage reporting interval has occurred). Traveling objects can 

travel "out-of-channel," allowing, for example, a user distributed 

transaction management arrangements. VDE supports providing such 
executable code in the form of "atomic" load modules and associated data. 
Many such load modules are inherently configurable, aggregatable, 
portable, and extensible and singularly, or in combination (along with... 
...methods are created primarily through the use of one or more of said 
executable, reusable load module code pieces (normally in the form of 

executable object components) and associated data. The result of 

the submission and use of secure, control information components 
(executable code such as load modules and/or methods, and/or associated 
data). These components may be contributed independently by... 
...operating system functions to properly direct transaction processes 
and data related to electronic information security, usage control, 
auditing, and usage reporting. VDE provides the capability to manages 

resources related to secure VDE content and/or appliance and/or 

system functionality under VDE and to facilitate integration into 
electronic appliance environments of load modules and methods created 
under the present invention. To achieve this, VDE employs an 

Application specifications for limiting the price per transaction, 

unit of time, and/or session, for accessing history information 
concerning previous transactions, for reviewing financial information 
such as budgets, expenditures (e.g. detailed and/or summary) and usage 
analysis information, and (c) VDE aware applications which, as a result 

of the use of. to a manageable subset particularly appropriate for a 

given business model allows the full configurable power of the present 
invention to be easily employed by "typical" users who would be 

otherwise and optimally bug free by reducing the risks associated 

with the contribution of independently developed load modules, including 
unpredictable aspects of code interaction between independent modules and 

applications, as well as may be used to provide individual, overall 

- frameworks for organizations and individuals that create, modify, 
market, distribute, consume, and/or otherwise use movies, audio 
recordings and live performances, magazines, telephony based retail 
sales, catalogs, computer software, information data bases, multimedia, 
commercial communications, advertisements, market surveys, infomercials, 
games, CAD/CAM services for numerically controlled machines, and the 

like. As the of electronic information control increments. This 

includes supporting variable control information for budgeting and 
auditing usage as applied to a variety of predefined increments of 

electronic information, including employing a variety units of 

measure, credit limit, security budget limit and security content 
metering increments, and/or market surveying and customer profiling 

content metering increments. For example, a CD-ROM disk with a the 

wide area network it is installed on. 

) provide mechanisms to persistently maintain trusted content usage and 
reporting control information through both a sufficiently secure chain of 
handling of content and content control information and through various 
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forms of usage of such content wherein said persistence of control may 

survive such use. Persistence of control for this purpose and/or 

VDE installation control information stipulates should persist and/or 
control usage of content in the newly formed container. Such control 
information can continue to manage usage of container content if the 

container is "embedded" into another VDE managed object, such as of 

information derived from their use of a VDE installation and content 
and/or appliance usage auditing. In particular, VDE can prevent 
information related to a participant's usage of electronic content from 
being provided to other parties without the participant's tacit or... 
...independently, securely delivered further control information. Said 
control information may include executable code (e.g., load modules) that 
has been certified as acceptable (e.g., reliable and trusted) for use 

with VDE distributed arrangement. This modification (evolution) of 

control information can occur upon content control information (load 
modules and any associated data) circulating to one or more VDE 

participants in a pathway permission, auditing, payment, and 

reporting control information related to controlling, analyzing, paying 
for, and/or reporting usage of, electronic content and/or appliances (for 
example, as related to usage of VDE controlled property content). 
Independently delivered (from an independent source which is independent 

except information into the control information for commercially 

distributed content and/or services related to appliance usage. Proposed 
control information is used to an extent allowed by senior control 

information and as business activities which are dependent on 

electronic commercial product content distribution, such as acquiring 
detailed market survey information and/or supporting advertising, both of 

which can increase revenue and result in applying different content 

control information to the same and/or different content and/or appliance 
usage related activities, and/or to different parties in a content and/or 
appliance usage model, such that different parties (or classes of VDE 

users, for example) are subject to control information causing the 

generation of a VDE content container whose content includes customer 
content usage information reflecting secure, trusted revenue summary 

information and/or detailed user transaction listings (level of. a 

VDE container. Such a container may also be used for other VDE related 
content usage reporting information. 

) support the flowing of content control information through different 

"branches" of content control information or it might involve the 

selection of certain one or more already "in-place" content usage control 
methods over in-place alternative methods, as well as the submission of 

relevant control flow of both VDE content control information and 

VDE managed content enables an electronic commerce marketplace which 
supports diverging, competitive business partnerships, agreements, and 

evolving overall business models which can employ secured, e.g., 

encrypted, in part or as a whole, and may be subject to usage and/or 
auditing control information that differs from the those applied to 

previously in place preserve VDE control over one or more portions 

of extracted content after various forms of usage of said portions, for 
example, maintain content in securely stored form while allowing 

11 
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"temporary" on VDE capabilities thus preserving the rights of 

providers in said content information after various content usage 
processes. 

) support the aggregation of portions of VDE controlled content, such 

portions being subject to preserving at least a portion of the 

control information (e.g., executable code such as load modules) for each 
of various of said portions by, for example, embedding some or all... 
...content control information produced by the negotiation may be uniform 
(such as having the same load modules and/or component assemblies, and/or 

it may apply differing such content control information controlled 

content such as differing metering, budgeting, billing and/or payment 
models. For example, content usage payment may be automatically made, 
either through a clearinghouse, or directly, to different content 

providers individual users, etc. This feature of the present 

invention can be employed for content security, usage analysis (for 
example, market surveying), and/or compensation based upon the use and/or 

exposure to VDE managed content of client organization control 

information wherein an organization client administrator distributes 
control information specifying the usage rights of... world. 
Interoperability is fundamental to efficient electronic commerce. The 
design of the VDE foundation, VDE load modules, and VDE containers, are 
important features that enable the VDE node operating environment to... 
...very broad range of electronic appliances. The ability, for example, 
for control methods based on load modules to execute in very "small" and 

inexpensive secure sub-system environments, such as environments the 

like, electronic mail systems, teleconferencing software, and other data 
authoring, creating, handling, and/or usage applications including 
combinations of the above). These one or more features (which may also 

be s), microprocessor(s), other CPU(s) or other digital processing 

logic. 

) employ audit reconciliation and usage pattern evaluation processes that 
assess, through certain, normally network based, transaction processing 

reconciliation and threshold one or more keys). Determining whether 

irregular patterns (e.g. unusually high demand) of content usage, or 
requests for delivery of certain kinds of VDE controlled information 

during a certain time installations and/or users (including, for 

example, groups of related users whose aggregate pattern of usage is 
suspicious) may also be useful in determining whether security at such 

one or more on content), secure object distribution and management 

(including distribution control information, financial related, and other 
usage analysis), client internal VDE activities administration and 
control, security management, user interfaces, payment disbursement, 

and a large organization to assist in the organization's use of a 

VDE arrangement, including usage information analysis, and control of VDE 
activities by individuals and groups of employees such as specifying 
budgets and the character of usage rights available under VDE for certain 
groups of and/or individual, client personnel, subject to... 
...concurrent database processing means). A financial clearinghouse 
normally receives at its location securely delivered content usage 
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information, and user requests (such as requests for further credit, 
electronic currency, and/or higher credit limit). Reporting of usage 
information and user requests can be used for supporting electronic 
currency, billing, payment and credit related activities, and/or for user 
profile analysis and/or broader market survey analysis and marketing 
(consolidated) list generation or other information derived, at least in 
part, from said usage information, this information can be provided to 
content providers or other parties, through secure, authenticated... 
...communications between a clearinghouse and other VDE pathway 
participants. 

) securely support electronic currency and credit usage control, storage, 
and communication at, and between, VDE installations. VDE further 

supports automated passing of. which said pathway may or may not be 

the same as a pathway for content usage information reporting. Such 
payment may be placed into a VDE container created automatically by a VDE 

installation currency from an electronic credit or currency account 

based upon an amount owed resulting from usage of VDE controlled 
electronic content and/or appliances. Payment credit or currency may then 

be Payment information may be packaged in said VDE content 

container with, or without, related content usage information, such as 
metering information. An aspect of the present invention further enables 

certain information information, such as currency and/or credit use 

related information (and/or other electronic information usage data) to 
be available only under certain strict circumstances, such as a court 

order (which agreement elements. This feature requires maintaining 

a library of textual language that corresponds to VDE load modules and/or 
methods and/or component assemblies. As VDE methods are proposed and/or 

extent practical, such as VDE instances storing certain control 

information and content and/or appliance usage information on the same 
mass storage device and in the same VDE management database. 

) requiring reporting and payment compliance by employing exhaustion of 

budgets and time ageing of keys. For example content provider's 

content and the use of clearinghouse credit for payment for end-user 
usage of said content. Control information regarding said arrangement may 

be delivered to a user's information might require said 

clearinghouse to prepare and telecommunicate to said content provider 
both content usage based information in a certain form, and content usage 
payment in the form of electronic credit (such credit might be "owned" by 

the provider and in some embodiments, automatically, provide in the 

manner specified by said control information, said usage information and 
payment content. Features of the present invention help ensure that a 
requirement that a clearinghouse report such usage information and 
payment content will be observed. For example, if one participant to a 

VDE party from successfully participating in VDE activities related 

to such agreement. For example, if required usage information and payment 
was not reported as specified by content control information, the 
"injured" party can fail to provide, through failing ... 
...clearinghouse, which information can be necessary to authorize use of 
the clearinghouse's credit for usage of the provider's content and which 
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the clearinghouse would communicate to end-user's during a content usage 
reporting communication between the clearinghouse and end-user. As 
another example, a distributor that failed to make payments and/or report 
usage information to a content provider might find that their budget for 

creating permissions records to g., VISA, Mastercard). The VDE card 

and the terminal (and/or online connection) can securely exchange 
information related to a transaction, with credit and/or electronic 

currency being transferred to a of content for metering, billing, 

budgeting, and user identification, for example, paying fees associated 
with usage of content, performing home banking, managing advertising 

services, etc. VDE modular separation of these basic be charged for 

each record of said database decrypted (depending on user selected 
currency). Such usage can be metered while an additional audit for user 

profile purposes can be prepared recording user may also, under VDE 

(if allowed by senior control information), collect audit information 
reflecting usage of database fields by different individuals and client 
organization departments and ensure that differing rights of access and 
differing budgets limiting database usage can be applied to these client 
individuals and groups. Enabling content providers and users to. ..time of 
an electronic purchase, and/or a user might require a method that 
summarizes usage information for reporting to a clearinghouse (e.g. 
billing information) in a way that does not convey confidential, personal 
information regarding detailed usage behavior. 

A further feature of VDE provided by the present invention is that 

creators, distributors can select from among a set of predefined 

methods (if available) to control container content usage and 
distribution functions and/or they may have the right to provide new 
customized methods to control at least certain usage functions (such 
"new" methods may be required to be certified for trustedness and 

interoperability to provides a very high degree of configurability 

with respect to how the distribution and other usage of each property or 

object (or one or more portions of objects or properties as on 

behalf of a financial clearinghouse or government agency). Such control 
information methods (and/or load modules and/or mediating data and/or 

component assemblies) may also be put in place enacted by a 

government agency, or the requirements of a customer of VDE managed 
content usage information (reflecting usage of content by one or more 
parties other than such customer) relating to the creation, handling 
and/or manner of reporting of usage information received by such 
customer. Such control information may, for example, enforce societal 

requirements such appliance rights protection, including the 

enforcing of preferences and requirements of VDE participants. 

Normally, most usage, audit, reporting, payment, and distribution control 
methods are themselves at least in part encrypted and are executed... 
...can be directly used, such as decrypted, displayed, printed, etc; 

3. (3) How payment for usage of such content and/or content portions may 
or must be handled; and 
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4. (4) How audit information about usage information related to at least 

a portion of a property should be collected, reported, and credit) 

providers, 

3. (3) users of (other than financial service providers) information 
arising from content usage such as content specific demographic 
information and user specific descriptive information. Such users may 
include market analysts, marketing list compilers for direct and directed 
marketing, and government agencies, 

4. (4) end handling for electronic content, content and/or 

appliance control information, electronic content and/or appliance usage 
information and payment and/or credit. 

VDE agreements may define the electronic commerce relationship of... 
...chain of handling. This evolving agreement can establish the rights of 
all parties to content usage information, including, for example, the 
nature of information to be received by each party and the pathway of 
handling of content usage information and related procedures. A sixth 

agreement in this example, may involve all parties to elaborate. 

They can support widely diverse information management models that 
provide for electronic information security, usage administration, and 
communication and may support: 

(a) secure electronic distribution of information, for example commercial 
literary properties, 

(b) secure electronic information usage monitoring and reporting, 

(c) secure financial transaction capabilities related to both electronic 
information and/or appliance usage and other electronic credit and/or 
currency usage and administration capabilities, 

(d) privacy protection for usage information a user does not wish to 
release, and 

(e) "living" electronic information content dissemination or more 

pathways (chains) for: the handling of content, content and/or appliance 
control information, reporting of content and/or appliance usage related 
information, and/or payment, 

(3) supporting an evolution of terms and conditions incorporated into... 
...required for trusted SPU hardware processes depends on the commercial 
requirements of particular markets or market niches, and may vary widely. 

BRIEF DESCRIPTION OF THE DRAWINGS 

These and other features and this invention; 

FIGURE 1A is a more detailed illustration of an example of the 
"Information Utility" shown in FIGURE 1; 
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FIGURE 2 illustrates an example of a chain of handling and in 

FIGURE 13; 

FIGURE 1 5 illustrates an example of how the channel services manager and 
load module execution manager of FIGURE 13 can support a channel; 

FIGURE 15A is an example shows an example of a method core 

structure; 

FIGURE 23 shows an example of a load module structure; 

FIGURE 24 shows an example of a User Data Element (UDE) and/or 100 

that may be provided in accordance with this invention. In Figure 1 , an 
information utility 200 connects to communications means 202 such as 

telephone or cable TV lines for example an "electronic highway" 

that carries electronic information from place to place. Lines 202 
connect information utility 200 to other people such as for example a 
consumer 208, an office 210, apeople connected to information utility 200 
may be called a "VDE participant" because they can participate in 

transactions occurring within received goods and services only 

after they handed cash over to a seller. Although information utility 200 
may deliver information by transferring physical "things" such as 

electronic storage media, the virtual 100 facilitates a completely 

electronic "chain of handling and control." 

VDE Flexibility Supports Transactions 

Information utility 200 flexibly supports many different kinds of 
information transactions. Different VDE participants may define and/or 
participate in different parts of a transaction. Information utility 200 
may assist with delivering information about a transaction, or it may be 

one of. programs directly to consumers 206, 208, 210, or it can send 

the programs to information utility 200 which may store and later send 

them to the consumers, for example. Consumers 206 by video 

production studio 204-assuming, that is, that the video production studio 
or information utility 200 has arranged for these consumers to have 

appropriate "rules and controls" (control information) that 204 

wishes to receive $2.00 per viewing. Video production studio 204 may, 
through information utility 200, make the exercise video available in 

"protected" form to all consumers 206; 208, 210 2) virtual 

distribution environment 100 will "meter" each time a consumer watches 
the video, and report usage to video production studio 204 from time to 
time, and 

3. (3) financial provider 212 who watches the video, and transfer 

these payments to the video production studio 204. 

Information utility 200 allows even a small video production studio to 
market videos to consumers and receive compensation for its efforts. 

Moreover, the videos can, with appropriate provide office-internal 

control information and mechanisms. For example, office 210 may set a 
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maximum usage budget for each individual user and/or group within the 

office, or it may permit consumers 206. Even though the electronic 

storage media themselves are not delivered electronically by information 
utility 200 over lines 202, they are still part of the virtual 

distribution environment 100. The to distribute content, "rules and 

controls," or other information. 

Example of What' s Inside Information Utility 200 

"Information utility" 200 in Figure 1 can be a collection of participants 

that may act as distributors administrators. Figure 1A shows an 

example of what may be inside one example of information utility 200. 
Information utility participants 200a-200g could each be an independent 

organization/business. There can be any number of participants 

200a-200g. In this example, electronic "switch" 200a connects internal 
parts of information utility 200 to each other and to outside 
participants, and may also connect outside participants to one another. 

Information utility 200 may include a "transaction processor" 200b that 

processes transactions (to transfer electronic funds, for based on 

requests from participants and/or report receiver 200e. It may also 
include a "usage analyst" 200c that analyzes reported usage information. 
A "report creator" 200d may create reports based on usage for example, 
and may provide these reports to outside participants and/or to 
participants within information utility 200. A "report receiver" 200e may 
receive reports such as usage reports from content users. A 
"permissioning agent" 200f may distribute "rules and controls" granting 
usage or distribution permissions based on a profile of a consumer's 

credit worthiness, for example message storage 200g may store 

information for use by participants within or outside of information 
utility 200. 

Example of Distributing Content" Using A Chain of Handling and Control" 

As explained above rules and controls." The distributor 106 

generates her own "rules and controls" that relate to usage of the 
content. The usage -related "rules and controls" may, for example, 
specify what a user can and can't do with the content and how much it 
costs to use the content. These usage-related "rules and controls" must 
be consistent with the "rules and controls" specified by content... 
...such as a consumer. The content user 1 12 uses the content in 
accordance with the usage-related "rules and controls." 

In this Figure 2 example, information relating to content use is, as 
shown by arrow 114, reported to a financial clearinghouse 116. Based on 

this "reporting," the financial clearinghouse 116 may generate and 

payments" network 118. Arrow 120 shows the content user 112 providing 
payments for content usage to the financial clearinghouse 116. Based on 

the reports and payments it receives, the financial content users 

1 12 "permission" to use certain content. They may specify what kinds of 
content usage are permitted, and what kinds are not. They may specify how 
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content usage is to be paid for and how much it costs. As another 
example, "rules and controls" may require content usage information to be 
reported back to the distributor 106 and/or content creator 102. 

Every VDE participant in "chain process payments, 

C "Rules and controls" may specify which participant(s) receive what kind 
of usage report, and 

C "Rules and controls" may specify that certain information is revealed 

to certain participants and controls" specified by a distributor 

106 that require the user to pay for content usage at a certain rate. 
"Rules and controls" may "persist" as they pass through a "chain... 
...specified by the content creator 102 may permit the distributor 106 to 
"mark up" the usage price just as retail stores "mark up" the wholesale 

price of goods. Figure 2A shows is reported to other VDE 

participants. As one example, "rules and controls" can cause content 
usage information to be reported anonymously without revealing content 
user identity, or it can reveal only certain information to certain 
participants (for example, information derived from usage) with 
appropriate permission, if required. This ability to securely control 

what information is revealed and control the content's 

distribution. The preferred embodiment can securely protect content by 
protecting corresponding, usage enabling "rules and controls" against 
unauthorized distribution and use. 

In some examples, "rules and controls a virtual "credit card" that 

extends credit (up to a certain limit) to pay for usage of any content. A 
"credit transaction" can take place at the user's site without... 
...processes-" The "events" may include, for example, a request to use 
content or generate a usage permission. Some events may need additional 

processing, and others may not. Whether an "event" needs pay a fee 

for each access. 

"Meter" process 404 keeps track of events, and may report usage to 
distributor 106 and/or other appropriate VDE participant(s). Figure 4 
shows that process 404 can be based on a number of different factors such 
as: 

(a) type of usage to charge for, 

(b) what kind of unit to base charges on, 

(c) how much to charge per unit, 

(d) when to report, and 

(e) how to pay.These factors may be specified by the "rules and 
controls for events. It records and reports payment information. 
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Budget process 408 limits how much content usage is permitted. For 
example, budget process 408 may limit the number of times content may... 
...are a special type of "method" 1000 that may specify, among other 
things, limitations on usage of information content 304, and how usage 
will be paid for. Budgets 308 can specify, for example, how much of the 

total basic operations used by "rules and controls." Such "methods" 

1000 may include, for example, how usage is to be "metered," if and how 
content 304 and other information is to be.. .address and data lines) with 
RAM 656, ROM 658 and I/O controller 660. A power supply 659 may provide 
power to SPU 500, CPU 654 and the other system components shown. 

In the example shown POST routines, etc. for use in establishing an 

operating environment for electronic appliance 600 when power is 
applied). 

Figure 8 shows that secondary storage 652 may also be used to store... 
...correction validation of information). SPU 500 may also perform secure 
data management processes including governing usage of, auditing of, and 
where appropriate, payment for VDE objects 300 (through the use of... 
...light. SPU 500 may store secret information in internal memory that 
loses its contents when power is lost. Circuitry may be incorporated 

within SPU 500 that detects microprobing or other tampering 600. 

For example, microprocessor 520 may manage VDE decrypting, encrypting, 
certain content and/or appliance usage control information, keeping track 
of usage of VDE secured content, and other VDE usage control related 
functions. 

Stored in each SPU 500 and/or electronic appliance secondary memory 

652 ROS 602 includes software intended for execution by SPU 

microprocessor 520 for, in part, controlling usage of VDE related objects 
300 by electronic appliance 600. As will be explained, these SPU programs 
include "load modules" for performing basic control functions. These 

various programs and associated data are executed and a combination 

calendar and clock. A reliable time base is important for implementing 
time based usage metering methods, "time aged decryption keys," and other 
time based SPU functions. 

The RTC 528 must receive power in order to operate. Optimally, the RTC 
528 power source could comprise a small battery located within SPU 500 or 
other secure enclosure. However, the RTC 528 may employ a power source 
such as an externally located battery that is external to the SPU 500. 
Such an externally located battery may provide relatively uninterrupted 
power to RTC 528, and may also maintain as non-volatile at least a 
portion of the otherwise volatile RAM 534 within SPU 500. 

In one implementation, electronic appliance power supply 659 is also used 
to power SPU 500. Using any external power supply as the only power 
source for RTC 528 may significantly reduce the usefulness of time based 

security techniques unless minimum, SPU 500 recognizes any 

interruption (or any material interruption) of the supply of external 
power, records such interruption, and responds as may be appropriate such 
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as disabling the ability of the SPU 500 to perform certain or all VDE 
processes. Recognizing a power interruption may, for example, be 
accomplished by employing a circuit which is activated by power failure. 
The power failure sensing circuit may power another circuit that includes 
associated logic for recording one or more power fail events. Capacitor 
discharge circuitry may provide the necessary temporary power to operate 
this logic. In addition or alternatively, SPU 500 may from time to 

time some portion of processes performed by SPU 500 under at least 

some circumstances. 

If a power failure and/or RTC 528 discrepancy and/or other event 

indicates the possibility of tampering strings to determine whether 

they compare in a predetermined way. In addition, certain forms of usage 
(such as logical and/or physical (contiguous) relatedness of accessed 

elements) may require searching potentially distribution and whose 

decompression speed is important. In some cases, information that is 
useful for usage monitoring purposes (such as record separators or other 

delimiters) is "hidden" under a compression layer such as SPU 

control firmware 508 and, if desired, encryption key information and 
certain fundamental "load modules." The "kernel" programs, load module 
information, and encryption key information enable the control of certain 

basic functions of the POST, memory allocation, and a dispatcher) 

may be loaded in ROM 532 along with additional load modules that have 
been determined to be required for specific installations or 
applications. 

In the benefit of providing EEPROM and/or flash memory 532b is the 

ability to optimize any load modules and library functions persistently 
stored within SPU 500 based on typical usage at a specific site. Although 

these items could also be stored in NVRAM 534b, EEPROM masked ROM 

532a. Items that need to be updated or that need to disappear when power 
is removed from SPU 500 should not be stored in masked ROM 532a. 

Under some so as to be non-volatile (i.e., it does not lose its 

contents when power is turned off). 

High-speed RAM 534a stores active code to be executed and associated... 
...the operation of SPU 500. For security reasons, certain highly 
sensitive information (e.g., certain load modules and certain encryption 
key related information such as internally generated private keys) needs 

to store data that may change frequently but which preferably 

should not be lost in a power down or power fail mode. 

NVRAM 534b is preferably a flash memory array, but may in addition 
or... execution by SPU 500. "Kernel" programs and/or some or all of the 
non-kernel " load modules" may be stored by SPU 500 in memory external to 

it. Since a secure an external hard disk (assuming transfer to 

flash or hard disk can occur in significant power or system failure 
cases); 
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C provide encryption and decryption buffers for data being released 
from platforms 

C can be seamlessly integrated with a host operating system, to provide a 
common usage paradigm for transaction management and content access 

C integration may take many forms: operating system with the other 

components. Typically, this piece of software is designed to begin 
executing after power is applied to the computer system and hardware 

diagnostics are completed. Thereafter, all use of differently on 

different equipment. For example, a small appliance that typically has 
low levels of usage by one user may implement a database service using 
very different techniques than a very large appliance with high levels of 
usage by many users. This is another aspect of scalability. 

ROS 602 provides a distributed processing more components at the 

same or other locations in a controlled way. For example, a usage control 
associated with object content at auser's location may have a reciprocal 
control at a distributor's location that governs distribution of the 
usage control, auditing of the usage control, and logic to process user 
requests associated with the usage control. A usage control at a user's 
location (in addition to controlling one or more aspects of usage) may 
prepare audits for a distributor and format requests associated with the 
usage control for processing by a distributor. Processes at either end of 

a reciprocal control may processes (e.g., a distributor may be 

limited by a budget for the number of usage control mechanisms they may 
produce). Reciprocal control mechanisms may extend over many sites and 

many as easily as between cooperative processors in a single 

computer. Appliances with different levels of usage and/or resources 
available for ROS 602 functions may implement those functions in very 

different construct provided by the preferred embodiment called a 

"channel") at execution time. For example, a "load module" for execution 
by SPU 500 may reference one or more "method cores," method parameters... 
include explicit calls to ROS 602 requesting the creation of new VDE 
objects 300, metering usage ofYDE objects, storing information in 
VDE-protected form, etc. Thus, a "VDE aware" application can... 
...different element could have disastrous consequences in terms of 
allowing a person to charge her usage to someone else's (or a 

non-existent) credit card. These are merely a few based on the 

following types of elements: 

Permissions Records ("PERC's) 808; 

Method "Cores" 1000; 

Load Modules 1100; 

Data Elements (e.g., User Data Elements ("UDEs") 1200 and Method Data 

Elements different ways. For example, a METER method may respond to 

a "use" event by storing usage information in a meter data structure. The 
same METER method may respond to an "administrative preferred 
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embodiment, method core 1000' may "contain," either explicitly or by 
reference, one or more "load modules" 1 100 and one or more data elements 
(UDEs 1200, MDEs 1202). In the preferred embodiment, a " load module" 
1 100 is a portion of a method that reflects basic instructions and 
intrinsic data. Load modules 1100 in the preferred embodiment contain 
executable code, and may also contain data elements ("DTDs" 1108) 
associated with the executable code. In the preferred embodiment, load 
modules 1100 supply the program instructions that are actually "executed" 
by hardware to perform the process defined by the method. Load modules 
1 100 may contain or reference other load modules. 

Load modules 1 100 in the preferred embodiment are modular and "code pure" 
so that individual load modules may be reenterable and reusable. In order 

for components 690 to be dynamically updatable be individually 

addressable within a global public name space. In view of these design 
goals, load modules 1 100 are preferably small, code (and code-like) pure 
modules that are individually named and addressable. A single method may 
provide different load modules 1 100 that perform the same or similar 

functions on different platforms, thereby making the shown in 

Figure HE comprises a method core 1000', UDEs 1200a & 1200b, an MDE 
1202, load modules HOOa-llOOd, and a further component assembly 

690(k+l). As mentioned above, a the components that are to be 

assembled to create a component assembly. 

One of the load modules 1 100b shown in this example is itself comprised 
of plural load modules 1 100c, 1 lOOd. Some of the load modules (e.g., 
1 100a, 1 lOOd) in this example include one or more "DTD" data elements... 
...e.g., 1108a, 1108b). "DTD" data elements 1108 may be used, for 
example, to inform load module 1 100a of the data elements included in MDE 

1202 and/or UDEs 1200a, 1200b inform a user as to the information 

required and/or manipulated by one or more load modules 1 100, or other 
component elements. Such an application program may also include 

functions for 602 is a finite task. Aspects of its wealth of 

functionality can remain unexploited until market realities dictate the 
implementation of corresponding VDE application functionality. As a 
result, initial product implementation... example of one possible set of 
common entry points are listed below in the table. 

Load 

In the preferred embodiment, services (and the associated RSIs they 
present to RPC manager 732) may be activated during boot by an 
installation boot process that issues an RPC LOAD. This process reads an 
RPC Services Table from a configuration file, loads the service module... 
...time loadable (as opposed to being a kernel linked device driver), and 
then calls the LOAD entry point for the service. A successful return from 
the LOAD entry point will indicate that the service has properly loaded 
and is ready to accept requests. 



RPC LOAD Call Example: SVC(underscore)LOAD (long service(underscore)id) 



Save-2008-11-03_145612 

This LOAD interface call is called by the RPC manager 732 during rights 
operating system 602 initialization. It permits a service manager to load 
any dynamically loadable components and to initialize any device and 

memory required by the service store control and status 

information. For example, in a BSD socket based network connection, a 
LOAD call will initialize the software and protocol control tables, a 

MOUNT call will specify networks 730 that underlies the secure 

database service, may not be "mountable." In this case, a LOAD call will 
make a connection to a database manager 730 and ensure that records 
are callback for each message. 

Close, Unmount and Unload 

The converse of the OPEN, MOUNT, and LOAD calls are CLOSE, UNMOUNT, and 
UNLOAD. These interface calls release any allocated resources back to ... 
...memory manager 680a). 

RPC CLOSE Call Example: SVC(underscore)CLOSE (long svc(underscore)handle) 

This LOAD interface call closes an open service "handle." A service 

"handle" describes a service and subservice speed access, efficient 

updates, and easy integration to host systems at the cost of resource 
usage (most commercial database managers use many system resources). 

The site record number approach uses a... other than the one operated by 
a user who has, or wishes to obtain, some usage rights to such VDE 
objects. In this case, External Services Manager 772 may manage a... 
...information, one or more PERCs 808, one or more method cores 1000', 
one or more load modules 1 100, one or more data structures such as UDEs 

1200 and/or MDEs 1202 structures, and manages the SPU bus interface 

unit 530. Kernel/dispatcher 552 also includes a load module execution 
manager 568 that can load programs into secure execution space for 
execution by SPU 500. 

In the preferred embodiment, kernel/dispatcher 552 may include the 
following software/functional components: 

load module execution manager 568 

task manager 576 

memory manager 578 

virtual memory manager 580 

"low perform simple metering, budgeting and billing using subsets 

of VDE methods combined into single "aggregate" load modules to permit 
the various methods to execute in a single tasking environment. However, 

an the preferred embodiment, it contains a list of references to 

shared data elements (e.g., load modules 1 100 and UDEs 1200), private 
data elements (e.g., method data and local stack e., pages changed 
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by SPE 503) associated with the previously loaded swap blocks, and to 
load all required pages for the new swap block context. 

Kernel/dispatcher 522 preferably manages the individual data 

structures as they are loaded. Once locked, no other SPE 503 task may 
load them and will "block" waiting for the data structure to become 

available. Using a single SPE 503 may, as a practical matter, limit 

the ability of outside vendors to create load modules 1 100 since there 
can be no assurance that they will not cause a "deadly.. .system provides 
an effective mechanism for protecting VDE component assemblies 690 from 
compromise by "rogue" load modules. 

In addition, memory management provided by memory manager 578 operating 

at least in part or become, very large. This eventuality may be 

addressed in two ways: 

1. (1) subdividing load modules 1100; and 

2. (2) supporting virtual paging. 

Load modules 1 100 can be "subdivided" in that in many instances they can 
be broken up into separate components only a subset of which must be 
loaded for execution. Load modules 1100 are the smallest pagable 
executable element in this example. Such load modules 1 100 can be broken 
up into separate components (e.g., executable code and plural data 
description blocks), only one of which must be loaded for simple load 
modules to execute. This structure permits a load module 1 100 to 
initially load only the executable code and to load the data description 
blocks into the other system pages on a demand basis. Many load modules 
1 100 that have executable sections that are too large to fit into SPU 500 
can be restructured into two or more smaller independent load modules. 
Large load modules may be manually "split" into multiple load modules 
that are "chained" together using explicit load module references. 

Although "demand paging" can be used to relax some of these restrictions, 

the allow limited resource SPU 500 configurations to execute large 

and/or multiple tasks. 

C. SPE Load Module Execution Manager 568 

The SPE (HPE) load module execution manager ("LMEM") 568 loads 
executables into the memory managed by memory manager 578 and executes 
them. LMEM 568 provides mechanisms for tracking load modules that are 
currently loaded inside the protected execution environment. LMEM 568 
also provides access to basic load modules and code fragments stored 
within, and thus always available to, SPE 503. LMEM 568 may be called, 
for example, by load modules 1 100 that want to execute other load 
modules. 

In the preferred embodiment, the load module execution manager 568 
includes a load module executor ("program loader") 570, one or more 
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internal load modules 572, and library routines 574. Load module executor 
570 loads executables into memory (e.g., after receiving a memory 
allocation from memory manager 578) for execution. Internal load module 
library 572 may provide a set of commonly used basic load modules 1 100 
(stored in ROM 532 or NVRAM 534b, for example). Library routines 574 

may list of such library functions along with their entry points 

and parameters may be used. Load modules 1 100 may call these routines 
(e.g., using an interrupt reserved for this purpose). Library calls may 
reduce the size of load modules by moving commonly used code into a 
central location and permitting a higher degree of code reuse. All load 
modules 1 100 for use by SPE 503 are preferably referenced by a load 
module execution manager 568 that maintains and scans a list of available 
load modules and selects the appropriate load module for execution. If 
the load module is not present within SPE 503, the task is "slept" and 
LMEM 568 may request that the load module 1 100 be loaded from secondary 
storage 562. This request may be in the form of an RPC call to secure 
database manager 566 to retrieve the load module and associated data 
structures, and a call to encrypt/decrypt manager 556 to decrypt the load 
module before storing it in memory allocated by memory manager 578. 

In somewhat more detail, the preferred embodiment executes a load module 
1 100 by passing the load module execution manager 568 the name (e.g., VDE 
ID) of the desired load module 1 100. LMEM 568 first searches the list of 
"in memory" and "built-in" load modules 572. If it cannot find the 
desired load module 1 100 in the list, it requests a copy from the secure 

database 610 by request that may be handled by ROS secure database 

manager 744 shown in Figure 12. Load module execution manager 568 may 
then request memory manager 578 to allocate a memory page to store the 
load module 1 100. The load module execution manager 568 may copy the load 
module into that memory page, and queue the page for decryption and 

security checks by 556 and key and tag manager 558. Once the page 

is decrypted and checked, the load module execution manager 568 checks 
the validation tag and inserts the load module into the list of paged in 
modules and returns the page address to the caller. The caller may then 
call the load module 1100 directly or allow the load module execution 
module 570 to make the call for it. 

Figure 15a shows a detailed CDRs may include explicitly and/or by 

reference each method core 1000N (or fragment thereof), load module 1 100 

and data structure(s), (e.g., URT, UDE 1200 and/or MDE 1202 use the 

"blueprint" to access (e.g, the secure database manager 566 and/or from 
load module execution manager library(ies) 568) the appropriate "control 

method" that may be used to block 1139) by constructing an 

associated channel detail record specifying the method core(s) 1000N, 
load module(s) 1100, and associated data structure(s) (e.g., UDE(s) 1200 
and/or the preferred embodiment: 

C "tick" ofRTC 528 

C interrupt from bus interface 530 
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C power fail interrupt 

C watchdog timer interrupt 

C interrupt from encrypt/decrypt engine 522 

C memory word change interrupt and addresses the appropriate 

send/receive buffers accordingly. 

SPU 500 generates a power fail interrupt when it detects an imminent 
power fail condition. This may require immediate action to prevent loss 
of information. For example, in the preferred embodiment, a power fail 
interrupt moves all recently written information (i.e., "dirty pages") 
into non-volatile NVRAM 534b, marks all swap blocks as "swapped out," and 
sets the appropriate power fail flag to facilitate recovery processing. 
Kernel/dispatcher 552 may then periodically poll the "power fail bit" in 
a status word until the data is cleared or the power is removed 
completely. 

SPU 500 in the example includes a conventional watchdog timer that 

generates embodiment provide "low level" functions. These functions 

in the preferred embodiment may include, for example, power-on 
initialization, device POST, and failure recovery routines. Low level 

services 582 may also in passing "events" from services supported 

by SPE 503 (HPE 655) to the various methods and load modules that have 
been specified to process these events, and also supports the assembly 

of. is a data structure maintained by channel manager 593 that 

"binds" together one or more load modules 1 100 and data structures (e.g., 
UDEs 1200 and/or MDEs 1202) into a component assembly 690. Channel 
services manager 562 causes load module execution manager 569 to load the 
component assembly 690 for execution, and may also be responsible for 

passing events into Once the channel is created, the channel 

services manager 562 may issue function calls to load module execution 
manager 568 based on the channel 594. The load module execution manager 
568 loads the load modules 1 100 referenced by a channel 594, and requests 

execution services by the kernel/dispatcher event processing 

request as a task, and executes it by executing the code within the load 
modules 1 100 referenced by the channel. 

The channel services manager 562 may be passed an the component 

assembly 690. These called-for method(s) and data structure(s) (e.g., 

load modules 1100, UDEs 1200 and/or MDEs 1202) are each decrypted using 

encrypt/decrypt manager to, in effect, "link" or "bind" the 

elements into a single cohesive executable so the load module(s) can 
reference data structures and any other load module(s) in the component 
assembly. Channel manager 562 may then issue calls to LMEM 568 to load 
the executable as an active task. 

Figure 15 shows that a channel 594 may reference i.e., task) 

associated with that event. The "swap block" may reference one or more 
load modules 1 100, UDEs 1200 and private data areas required to properly 
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process the event. One RPC dispatch table. The preferred embodiment 

RPC dispatch table is organized as a list of Load Module references for 
each RPC service supported internally by SPE 503. Each row in the table 
contains a load module ID that services the call, a control byte that 
indicates whether the call can be made from an external caller, and 
whether the load module needed to service the call is permanently 

resident in SPU 500. The RPC dispatch RPC dispatch table is in 

EEPROM, it flexibly allows for updates to the services without load 
module location and version control issues. 

In the preferred embodiment, SPE RPC manager 550 first Once the RPC 

manager 550 locates the service reference in the RPC dispatch table, the 
load module that services the request is called and loaded using the load 
module execution manager 568. The load module execution manager 568 
passes control to the requested load module after performing all required 
context configuration, or if necessary may first issue a request to load 
it from the external management files 610. 

SPU Time Base Manager 554 

The time base may be provided by encrypt/decrypt manager 556 in 

software. The primary bulk encryption/decryption load modules preferably 
are loaded at all times, and the load modules necessary for other 
algorithms are preferably paged in as needed. Thus, if the primary bulk 
encryption/decryption algorithm is DES, only the DES load modules need be 
permanently resident in the RAM 534a of SPE 503/HPE 655. 

The.. .failure: This information may be analyzed to detect cracking 
attempts or to determine patterns of usage outside expected (and 

budgeted) norms. The audit trail histories in the SPU 500 may be a 

counter plus limit. Counter mode may be used by VDE administrators to 
determine device usage. The limit mode may be used to limit tampering and 

attempts to misuse the electronic administrator. Calls to the 

system wide event summary process may preferably be built into all load 
modules that process the events that are of interest 

The following table shows examples of registered by the VDE 

administrator that first initializes SPE 503 (HPE 655). Certain currency 
consuming load modules and audit load modules that complete the auditing 
process for consumed currency budget may call the summary services 
manager 560 to update the currency consumed value. Special authorized 
load modules may have access to the overall currency summary, while 

additional summaries can be registered versions of SPU 500 may be 

implemented using significantly smaller amounts of RAM 534. "Aggregate" 
load modules as described above may remove flexibility in configuring VDE 
structures and also further limit... 
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